Getting Data In

Search for a list of installed packages with version numbers for a host

yrb6924
New Member

I've managed to create a search which will list for me all installed packages on a particular host, but I need to have a list of packages with the version number. Any idea how I can modify/improve this search to give me this?

host=[hostname] sourcetype=package | multikv noheader=t | rex "(?\S+)" | stats dc(host) as dc by package | eventstats max(dc) as max | where dc = max | table package

Tags (2)
0 Karma

marklaw2
Explorer

Here's what I use to pull all software installed on Linux machines.

A different type of output show hosts and installed software:

sourcetype=package index=os
| multikv noheader=t
| rex field=_raw "^(?P[^ ]+)\s+(?P[^ ]+)\s+(?P[^ ]+)\s+(?P\w+)"
| search NOT NAME NOT VERSION NOT RELEASE NOT ARCH
| dedup host package version release arch
|table host package version release arch

0 Karma

yrb6924
New Member

In fact what I need is even easier:

index=os host="[hostname]*" sourcetype=package | dedup host

0 Karma

dmaislin_splunk
Splunk Employee
Splunk Employee

If you have a version field then modify your search. Notice that I also sorted it in descending order and only display top 10.

host=[hostname] sourcetype=package | multikv noheader=t | rex "(?<package>S+)" | stats dc(host) as dc by package,version | sort - dc | head 10
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...